IETF Logo Mail Archive

Re: [lamps] struggling with CSRAttrs

David von Oheimb <David.von.Oheimb@siemens.com> Tue, 02 August 2022 10:45 UTC

Return-Path: <david.von.oheimb@siemens.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8E3AC1907B7 for <spasm@ietfa.amsl.com>; Tue, 2 Aug 2022 03:45:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.611
X-Spam-Level:
X-Spam-Status: No, score=-4.611 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SCC_THREE_WORD_MONTY=2.497, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=siemens.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6iNsSJTlJlM2 for <spasm@ietfa.amsl.com>; Tue, 2 Aug 2022 03:45:20 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50075.outbound.protection.outlook.com [40.107.5.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71540C14CF09 for <spasm@ietf.org>; Tue, 2 Aug 2022 03:45:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dx1IlQmsW4JG+vCZQMli50kttR9Os0RzW11gr0X8mIGM4rMKmd4qlj5IE3H7/rc5nkS01QIixbrUIbJS9y7mCaowhudb2DR9F2zyF/Ua8ZFq216FTJ7moNRpsXPgqlFrh0/FbXwl9BlT11rE/wf7BeV4bvwiMdafRmU/cdw+vz5tnO21GcUALpw14zEuOFs2V9lwj20St4W2u5re7r0PFNcm2ahR0TpSZMPJeukqV8mc0Xq3xE82GEBWAykSmk8HNP9IzVj1W0Ei4NjgRSBR+a29USUbJzbBTb3uZPG+Xc/UI38KgYHoMAh1vukSjhyiK3FxWfq+K2rfe6w2AnLnBA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=yUVT5GB/M+4+1RQHSsdFXSufQk+OsRPM1X+CZC5L034=; b=Dq2K7xmWh6h4WZ2qOLCj+XVj4Mc4VCYM9XMdDkhBY4IbTGAGi0YNOXdc85J3f6/rfELh+xXmU2V+X0+tMRf+lFRLjp8qKntGAM5H5T95F6HjYNPYJfCzsujX//g6u8QDhzr7jNlCNP7i/nsgPrlXQoyOct5kEMFC/zLp3gUzqG8cJqUyHkeVvsOunXaCx+v1g5o/LSTjc9ofWdW2mFgR4g6KpURJgCkK8jD1ZgfGWHEeOBBdSLkjt6zVmQ0K2OvIVbUYdaXY0AkyZaZC49WEh6MPco57fU/X3YE4Z2+t66pRZBfJkvuB7EaP6x9t5Z04XWD2n2j+dqxq2MN4cMgtqQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yUVT5GB/M+4+1RQHSsdFXSufQk+OsRPM1X+CZC5L034=; b=t0J0YZOSrGuCaTexSATBm/Sh6CxR11iPvbNk+t3v1cQffyoM0+MvbLsc0tTLSOtjbiVr2oH6sC3ugbcfZVmDVHVIa6DLbgzn5gEVIC1o0S3ceCipP9Qh4tpC2U0wMge9TnmeqP3Gyjg802rMETYGVyXPoiootJu3A7vu+oZGNyZX/mzu+4ro7QdpOZAF3RFHtotDb9fVM4QRwExazj9M4ygEP6xPhp+W6/E5b7/atgmHCPs50fzeusFU1jIcs+oEgI2ZMzoAHYx/S/mjASjcztbpCZsH0pNKZO+xK92LJXgO2JZzXa95FiWgHA5G0x0ruYboNVNB0lMJYcIFQXS3aw==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com;
Received: from DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:398::20) by PAXPR10MB4899.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:1dc::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5482.6; Tue, 2 Aug 2022 10:45:15 +0000
Received: from DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM ([fe80::d812:1924:5b55:5f81]) by DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM ([fe80::d812:1924:5b55:5f81%8]) with mapi id 15.20.5482.015; Tue, 2 Aug 2022 10:45:15 +0000
Content-Type: multipart/alternative; boundary="------------V6R7MAmgcJVOnMLfVlvSny9K"
Message-ID: <56a8af3a-63f2-5f19-62d9-59469ab678bf@siemens.com>
Date: Tue, 02 Aug 2022 12:45:04 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0
Content-Language: en-US
From: David von Oheimb <David.von.Oheimb@siemens.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: LAMPS WG <spasm@ietf.org>
References: <12352.1657505901@localhost> <ada963a796ca3fafb42a29751020ff4326fd2a1e.camel@von-Oheimb.de> <563732.1659120308@dooku> <36c409c2-ab92-4ec2-6f1e-235652a243d9@siemens.com>
In-Reply-To: <36c409c2-ab92-4ec2-6f1e-235652a243d9@siemens.com>
X-ClientProxiedBy: FR0P281CA0013.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:15::18) To DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:398::20)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 37568314-613d-445d-88f4-08da7474150e
X-MS-TrafficTypeDiagnostic: PAXPR10MB4899:EE_
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: nYxTezuMUh/a19b6qi1jYpA8FJjy3NxTcGKcuFPyCHcSWXvQOu4n+W+vvF7r1xr9IkhWqRmoZHCVApRaE4zS6ce5QtZxgGGS5KW0AGZXQFpvGKlySkVAmm+KtQSqi39eHhITywvNvEOO966AIjQzoyiW6+zLP3xZa89iQWguNCYs4qpXVH9vayZhCdbJlhg+el6iCGZ//jAEsryKuSwnSMIXUgaTFkL3MV0SDHAoJF4/yrOZ2MjCnvnY1fkkGTXYnkcz1hU1t/UnLE32KaSiXvbqObZl5GIw7P5hAn8IN+dIYQjkxJpAhHMowA6VZGC9lyTnKaM1ND0CK+iDeUFDrHvmdgWDRvrbzYmqd8zDaGmrWQyJrKTBkywKlIjGG73g6bjFh6mupZ2yqZJjkCbgBtU+vHxvvRzrsnnz4J9JG1eZ7FvrhWUH9+fDgW4ekQMTbwbRnG7dUfCagfwJ0u7kjYwv1PSuISTPFkrTWd+MVlcXkJ4RjNrEKFjTWuy3ldBstTQMhyeecAN7iCEO6s0z3kaireGuzKlt7UORlj3AyVFHQKKvM2KCrgrdv/cNcPS5DBBBLx8XG2Q8YxRp0hddMJ5DtgU8dKMlWre1Ty+9UylXjQVfhKyA/Dd1wAnryECln9TxVV5GEB/R8NSAzPF4kYvX5Zc0E40KJXW+JsfxPOUK+T8OzXJ3sV7K1uSOf4dc6nY3If/7tj0vebz504Dwc7fbNUwepnaCu1gnv/lLViwKFICW9JSJmRFq/NaUUkp9RStnVDqwRnuIpWxM/BfLfg4U9MnabCVufeBY18UeEXolpzoffcGhud4K3sHRHUPnULntigEOBqyqtiFpn0iL+UWnLL6IcCo03+hdqT5BrSTaMyruTIPl4z+lQzSbf0YDxTo/hrNuqg3iZWwXrNZbPg==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(4636009)(396003)(346002)(366004)(376002)(136003)(39860400002)(41300700001)(83380400001)(2616005)(31686004)(166002)(86362001)(2906002)(33964004)(6666004)(53546011)(6506007)(30864003)(6512007)(36756003)(26005)(38100700002)(6486002)(186003)(8676002)(66946007)(66556008)(66476007)(8936002)(478600001)(4326008)(5660300002)(31696002)(316002)(966005)(82960400001)(45980500001)(43740500002); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: KsIDV9wBhBHT+x+k7mLw5nlSL528zUHyZEhBNa6CaG7c/Gc5x6PlUtfq63MR5/UvrMNmy7qA6UMWGVp4M6iE+T7MDOldG1fy0wvgWJJWpmj36TYxqkdPMoMEXhi1cHH+K03zjzYoxg/CQyVvPiB0N1W17cIvc2Bz3aOuzvgSno9H0TwO4/qRbNLEpgBDMdwFp8Xd8blw7YBqZrFNfyP5Ci0screHbtaRD2nEzY0r/VvujIE/fC7aTLfykhK1n3yQfThH5XlZBlxXTgfjTVNSUANPfKMgYQEtl2hhzfmXLUekij0VRaXqPwFgLlUb+18bglWU9aAFeYjqPNVH0BB278ukr/VBWNIzYZW5zENcPAlGnu6lV/axYFZK/nDmxxwDVDDV2O6cy0WpdPRCC5k2nR6oQPo1QCJxlXbXavVL/VFPejCjz7HXWiqc/2udMt9NtxizSsRZeedITqJ/hG6dJoOUZfVJO0KMURxztcoKb6UdM+eKLXelzqzEPtG8MgXIfBSTQFkaPKZLCYl9hks24vCC5jcwEa50zL0hWXxcL4nyuD7qPhaZyfY8FS5VOkmRfuCd+aK3TjK1a/8q7jw/RZmgdr7dLpjnNF8dcKsAxzZFaz8oUujZyKUxYIzRU81ujR8sBgVSaqtF5Ssr+Tuy06JES2ODg33h+pUH1llPI5wAu6ANG+NEsyGQlV3ZMf7zTSS9957CWn/xQ12yHxrBIsxP1T+r+SwyZjZiYyAthwYyG2kb1rXOuXoNtJ+Epe0isarueCzfHF471RwHmkmk4JyfEZZ40A8+dmuGiBYiI9qYzO6yzODEShIKTlOArFaBswCC+3cD1x5F9oaTgTdOsqL4MYybOWEFV9O3r3xprnn3xqnH13OFCqQjKLiKsvl4SKAWP5ss1UVfJHPbTk7CflOA9l/0+vlvScNVKfc3ZJNYvaLM/LwRDEe/RfxTODIyLK1aqslA2IYoyRQ15ouzs85WAFBtdZct3ES0XufUGGvnb/qSqOtIcYTEMonBYqxs3OFw0lY9jo9OqFui7fWyPFR9fzL8d+6Utiq/+Alid8Qr4M5vj4icBjOZWuzzoi2kQbgf1uzuke8vQWiEtg+lTtRN8on46A0ZPmGkHP3bk2kd8JvzP6rH/OvVCxrPwQrRdfCq3eqKP2fbVhwE/7+yx9jas9DirzH4klWylvPDmLeI2WlCwzUvUP24n1nNjiZDuiNUmMrQC+5wiOaA487ck5YL30Cl0fbw+2kOQ8m2gzXIyNbQ8UHekOU1RSR7TknTIweFxGHKPp6d+yWw+HjG1iM8ul75s7TX2f0NJoMU01CVCc/pZK1BdsQZnxPGaAl6usTAuHgKw00VGXAbJRKwtXCWrBiK5Ft69DzNLgihuRdkApScVJOqBifA0zo+0gJ51HDlcUR46mdTZKlJhUluGORkY4scJVtbCrPfr2SnjLHp2FOMmEJsuLNFfOyIdao71fHJjxeBBNdqKUd4v6+YqqcK+U6BH7KgZPwZedICIDNN8u8io1d5aBDIEZwv8wbeuR70b+ovdvLXSEGkuXBdhSeypmpDVWkZwYHBREabyHaHGpw9wQo131NK8A3J8p7svdHq08xJIIAXzC2UulGxhIB29dxlflKSVCTvhcDj9gw=
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 37568314-613d-445d-88f4-08da7474150e
X-MS-Exchange-CrossTenant-AuthSource: DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Aug 2022 10:45:15.4815 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: cWzkP+FIyTWps3IR3eevtZ8zqRf8h/aITMjeyTwTIznX3uJeTVunBM++OMkk/sqUPHKZvhYKuYNLGQhx4UP6HGoKF6z7rExHupxjCr58WVo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR10MB4899
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/6oCcn6QedlnSbjvNZhFvJBjkeZ0>
Subject: Re: [lamps] struggling with CSRAttrs
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2022 10:45:24 -0000

Here are further things to clarify, which I happened to come across 
yesterday
when tweaking the OpenSSL implementation 
<https://github.com/openssl/openssl/pull/18931> of X.509 extensions in 
PKCS#10 CSRs (and certs).

It is common practice for PKCS#10 objects to contain just one X.509 
extension attribute with a single set element,
although this appears not explicitly required by RFC 2986 
<https://www.rfc-editor.org/rfc/rfc2986> (at least I did not find this 
there),
and the value of this attribute is a sequence of actual extensions:

	Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension

defined in RFC 5280 section 4.1 
<https://datatracker.ietf.org/doc/html/rfc5280#section-4.1>, which also 
makes clear that X.509 certs can bear only one such list:

    TBSCertificate  ::=  SEQUENCE  {
         version         [0]  EXPLICIT Version DEFAULT v1,
         ...
         extensions      [3]  EXPLICIT Extensions OPTIONAL
                              -- If present, version MUST be v3
         }

As mentioned on July 19 (see other email below), the CsrAttrs syntax 
gives quite some needless
freedom how to represent multiple X.509 extensions (and potentially 
other types of attributes).

I believe we should clarify that

  * There MUST be /at most one/ attribute describing X.509 extensions,
    i.e., one bearing the OID extensionRequest (1.2.840.113549.1.9.14)
    as its type.
  * The set in such an X.509 extension value MUST contain exactly one
    element.
  * The value of such an attribute MUST be of type Extensions, i.e., a
    sequence of Extension.

In this light, I've just updated the example to reflect the type 
*SEQUENCE OF* Extension
and extended it with two (non-critical) extensions to make it more 
general/educative:

SEQUENCE {
   SEQUENCE {
     OBJECT IDENTIFIER extensionRequest (1 2 840 113549 1 9 14)
     SET {
       SEQUENCE {
         SEQUENCE {
           OBJECT IDENTIFIER basicConstraints (2 5 29 19)
           OCTET STRING, encapsulates {
             SEQUENCE {}
             }
           }
         SEQUENCE {
           OBJECT IDENTIFIER extKeyUsage (2 5 29 37)
           OCTET STRING, encapsulates {
            SEQUENCE {
               OBJECT IDENTIFIER serverAuth (1 3 6 1 5 5 7 3 1)
              }
             }
           }
         SEQUENCE {
           OBJECT IDENTIFIER subjectAltName (2 5 29 17)
           [0] {
             BOOLEAN TRUE
             }
           OCTET STRING, encapsulates {
             SEQUENCE {
               [2] 'domain.example'
               }
             }
           }
         }
       }
     }
   }

Moreover, we might specify what an empty list of X.509 extensions means,
such as to express that no X.509 extensions should/must be used in the CSR.

     David


On 31.07.22 19:40, David von Oheimb wrote:
>
> Hi Michael et al.
>
> On 29.07.22 20:45, Michael Richardson wrote:
>>>>     Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE {
>>>>          extType  ATTRIBUTE.&id({IOSet}),
>>>>          extAttr  SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type})
>>>>     }
>>> Well, this definition is semantically identical to the original one.
>>> So better not rename the two fields of the Attribute structure, i.e., we
>>> should stick with 'type' and 'values',
>>> in particular since there may be attributes that are not X.509
>>> extensions.
>> I found it clearer, but if you object to this rename, then I'll go with your preference.
>
> Let's keep the original field names.
> Also because this underlines the important fact that we do not change 
> the ASN.1 syntax at all,
> which is critical for bits-on-the-wire compatibility, but we just 
> clarify its use and interpretation.
>
> I've just made a pass on lamps-rfc7030-csrattrs.mkd in the GitHub 
> repository.
> Its new version contains various suggestions for improvements here and 
> there.
> Also updated the subjectAltName example to be of the more usual form 
> of a dNSName
> and inserted two questions/remarks:
>
>    (TODO: Do we want to allow an empty extnValue (which is of type OCTET
>    STRING), which would mean that the client is told to include an X.509
>    extension of the given type and fill in the concrete value itself?)
>
>    (TODO: Note that this mechanism does not support telling the client
>    to include in the CSR a specific subject DN, simply because there is
>    no OID for this.  I think we should better make this clear, or we
>    have to define such an OID if setting a subject name should be
>    supported.)
>
> I also corrected the spelling of my (co-author's) name in 
> presentations/ietf114-lamps-csrattrs.{fodp,pdf}.
>
>     David
>
>

On Tue, 2022-07-19 at 20:58 +0200, David von Oheimb wrote:
> Hi Michael, Sean, et al.,
>
> on Sun, 2022-07-10 at 22:18 -0400, Michael Richardson wrote:
>>
>> Sean, sorry to be asking this with less than 24h to ID cut-off.
>> I didn't want to post an updated ID until I had example code that 
>> produced
>> what I *thought* you are suggesting.  Moving a SEQ/SET around isn't that
>> hard... only now I've confused myself.
>>
>> We had:
>>
>>    CsrAttrs ::= SEQUENCE SIZE (0..MAX) OF AttrOrOID
>>
>>    AttrOrOID ::= CHOICE (oid OBJECT IDENTIFIER,
>>                          attribute Attribute }
>>
>>    Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE {
>>         extType  ATTRIBUTE.&id({IOSet}),
>>         extAttr  SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type})
>>    }
>
> Well, this definition is semantically identical to the original one.
> So better not rename the two fields of the Attribute structure, i.e., 
> we should stick with 'type' and 'values',
> in particular since there may be attributes that are not X.509 extensions.
>
> According to 
> https://datatracker.ietf.org/doc/html/draft-richardson-lamps-rfc7030-csrattrs
> the only thing that is "changed" is the clarification that the 
> attributes may contain entire X.509 extensions.
> So BTW I believe we can and should claim that this is bit-on-the wire 
> compatible with RFC 7030.
>
>
>> with the understanding that extAttr could be a SET of Extensions.
>
> Better also state that in this case the type/extType field MUST bear 
> the value extensionRequest (1.2.840.113549.1.9.14).
>
>
>> Each Extension is given by:
>>
>>    Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
>
> The Extensions structure is only needed within certificates (where 
> there is just one extensions field).
> All needed here is the Extension structure - there are already more 
> than enough of those sequences and sets around;-)
>
>>
>>    Extension  ::=  SEQUENCE  {
>>         extnID      OBJECT IDENTIFIER,
>>         critical    BOOLEAN DEFAULT FALSE,
>>         extnValue   OCTET STRING
>>                     -- contains the DER encoding of an ASN.1 value
>>                     -- corresponding to the extension type identified
>>                     -- by extnID
>>         }
>>
>>
>> 1) I'm not sure why I need a SET of a Sequence, unless your intent 
>> was that
>>    extAttr could be an *Extension* ??  I'm gonna go with yes here, but I
>>    didn't code that yet.
>
> In my view, the set-valued
>
> extAttr SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type})
> (or better, as in the original definition in 7030):
> values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type})
>
> is not really needed because multiple attributes can be given anyway 
> using multiple attributes, and each of them may then have a different 
> type.
> If multiple values are given as a set within a single attribute, all 
> its elements must have the same type.
> So in practice I suppose that for all attributes the SETs given within 
> each of them usually will have just one value element.
>
>>
>> 2) I think that extnID would be things like subjectAltName,
>>    i.e. OID: 2.5.29.17
>
> Right.
>
>>
>> But, if so, what is extType for this?
>
> The (ext)type is needed to provide the information, using 
> "extensionRequest", that an X.509 extension is being given in this 
> attribute.
>
>
>>
>> ASN1 that I have right now, where I've put subjectAltName in twice:
>>
>> obiwan-[projects/pandora/fountain](2.6.6) mcr 10396 %dumpasn1 
>> tmp/csr_bulb1.der
>>   0  84: SEQUENCE {
>>   2  82:   SEQUENCE {
>>   4   3:     OBJECT IDENTIFIER subjectAltName (2 5 29 17) <--- WHAT 
>> GOE, uS HERE?
> Replace this by extensionRequest (1.2.840.113549.1.9.14)
>
>>
>>   9  75:     SET {
>>  11  73:       SEQUENCE {   <--- SEQUENCE here might be undesired.
> SEQUENCE here is fine, as demanded by the Extension structure.
>
>>  13   3:         OBJECT IDENTIFIER subjectAltName (2 5 29 17)
>>  18   3:         [0] {
> The "[0] {" (and the closing 2}") is likely superfluous/wrong here.
>
>>  20   1:           BOOLEAN TRUE
>>        :           }
>>  23  61:         SEQUENCE {
>>  25  59:           [0] {
>>  27  57:             UTF8String
>>        :               'rfc8994+fd739fc23c3440112233445500000000+@acp.ex'
>>        :               'ample.com'
>>        :             }
>>        :           }
> This encoding of a SAN appears strange to me - which flavor of 
> GeneralName are you aiming at?
>
>>        :         }
>>        :       }
>>        :     }
>>        :   }
>
> - David

v2.23.0 | Report a Bug | By Email